Forgot your password?
typodupeerror
Security The Courts Yahoo! Technology

Yahoo Sued For Password Breach 93

Posted by samzenpus
from the see-you-in-court dept.
twoheadedboy writes "Yahoo is being sued by one of its users, who has claimed the US Internet company was guilty of negligence when 450,000 passwords of the members of the Yahoo Voices blogging community were posted online. Jeff Allan from New Hampshire has turned to a federal court in San Jose, California, after his eBay account, which used the same password as his Voices account, was compromised. The breach at Yahoo followed similar hits on LinkedIn and Nvidia, which together saw millions of passwords leaked."
This discussion has been archived. No new comments can be posted.

Yahoo Sued For Password Breach

Comments Filter:
  • by O'Krap (1081619) on Friday August 03, 2012 @12:37AM (#40864721)
    One could say that reusing a password is negligent....
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      But then one would be forced to be a complete idiot who implicitly stated that passwords were a good measure and that people have good enough memories and enough time on their hands to manage one unique strong password for every website they visit.

      Luckily one wouldn't say that. (maybe you would though.)

      • by Geeky (90998)

        Regardless of whether passwords are a good measure, I do use a unique strong password for every important site I visit - i.e. ones that store personal or financial information. Not so bothered with forum logins and the like where it really doesn't matter all that much if they're compromised.

        I only remember one password, though, and that's the one to my password database that's stored locally on my PC. I use KeePass, but there are plenty of other password safe applications.

        • by tepples (727027)

          I do use a unique strong password for every important site I visit - i.e. ones that store personal or financial information. Not so bothered with forum logins

          You might be surprised at what the law considers "personal information". Even an e-mail address, used to notify you of new posts on a forum or to act as a unique key in the user list, is "personal information" under at least one U.S. federal law.

          I only remember one password, though, and that's the one to my password database that's stored locally on my PC.

          So what do you when you want to check your bank balance from a machine other than your PC?

          • by bensode (203634)

            So what do you when you want to check your bank balance from a machine other than your PC?

            Keep a non-encrypted version of that file in Dropbox, of course! It is password protected, right? ;)

          • by Geeky (90998)

            You might be surprised at what the law considers "personal information". Even an e-mail address, used to notify you of new posts on a forum or to act as a unique key in the user list, is "personal information" under at least one U.S. federal law.

            Yes, but what I'm saying is it doesn't really matter if someone steals my generic forum logon password - all they'll get is my throwaway email account to spam and the ability to post on sites like this as me.

            So what do you when you want to check your bank balance from a machine other than your PC?

            My bank supplies a (physical) code generator that takes a pin number and generates a number. I don't carry that with me either, so I can't get access to my bank account when I'm out anyway.

            Having said that, I was simplifying. I do keep a copy of the password file on my phone. It's encrypted, and there'

      • by isorox (205688)

        But then one would be forced to be a complete idiot who implicitly stated that passwords were a good measure and that people have good enough memories and enough time on their hands to manage one unique strong password for every website they visit.

        Luckily one wouldn't say that. (maybe you would though.)

        Take one good password (say 12-15 characters)
        Then prepend with a unique 4 or 5 character which you keep written down in a file on your computer

        Each password then ends up being 16-20 characters long, however even if someone broke the hash (or some stupid site stored it in plain text -- like the one of the UK 2012 party conference accreditations), it would still be very hard to cross-contaminate the passwords.

        • Better, but still not very good. At best, a cracker needs to corellate your passwords from two leaks, to see which part is the variable part. Or perhaps he can figure it out looking at just a single instance, if the variable bit is obvious enough.

          It's better to use a password manager, and two factor authentication where it is offered, such as gmail.

          For that matter, I store many passwords in gmail. If someone has gained control of that account, they can use password resets to gain access to those sites anywa

          • Or you could do something silly, like NOT USING THE SAME USER ID IN MULTIPLE LOCATIONS.

            For me, if it relates to money or control of a system, it has a unique user ID, password, and even email address. Break into Yahoo, and you might get my Yahoo account info, but you can't use it to figure out my eBay account information. Break into eBay, and you still don't have what you need to find my PayPal account.

            But people trust internet too much.

            • by tepples (727027)
              A lot of web sites treat the user ID as the display name as well or tie it to a domain name. For example, if your eBay account name is philshobbyshop and your PayPal account is (something)@philshobbyshop.com, which of those should be changed?
          • by isorox (205688)

            Better, but still not very good. At best, a cracker needs to corellate your passwords from two leaks, to see which part is the variable part. Or perhaps he can figure it out looking at just a single instance, if the variable bit is obvious enough.

            It's better to use a password manager, and two factor authentication where it is offered, such as gmail.

            For that matter, I store many passwords in gmail. If someone has gained control of that account, they can use password resets to gain access to those sites anyway, so there's no additional risk in storing them there.

            If a cracker is really after me specifically, I'm probably screwed regardless. Devil take the hindmost.

    • by NeveRBorN (86123)

      I was just about to post the same thing. This guy should be suing himself. Now that's a trial I'd follow.

    • by Anonymous Coward

      It's beyond negligence. If you reuse the same password for service X and Y, then you're implicitly trusting the owners of service X not to compromise your account at service Y. Therefore, you either (a) give the same password to anyone who puts a form on the web and asks for your password; this means you do not care who gets your password -- in other words, you admit it's your own fault or (b) you admit to discriminating between websites and using different passwords based on level of trust; therefore you a

      • TRWTF (Score:5, Insightful)

        by Anonymous Coward on Friday August 03, 2012 @12:59AM (#40864781)

        On the other hand, neither service X nor service Y should be storing your passwords in such a way that it is possible to recover the actual password.

      • Yes, he screwed up, but so did Yahoo.

        This is why we have the concept of contributory negligence. If he and Yahoo are found to have contributed equally he will only get half his damages.

        • by Khyber (864651)

          Not happening. No excuse for Yahoo to store shit as plaintext.

          This lies squarely on Yahoo in today's world of technology. The common man cannot be expected to understand how Yahoo stores and protects passwords, even with a full explanation.

    • by synapse7 (1075571)
      On the contrary, should he get a large settlement using the same password may be profitable.
    • One could say that reusing a password is negligent....

      Yes, it is, but once the password leaked from Yahoo, its account would have been pwned nevertheless:
      Step 1 - go to Ebay
      Step 2 - click on "recover password"
      Step 3 - log into his @yahoo.com e-mail with the leaked password
      Step 4 - reset password
      Step 5 - ??? Profit (how appropriate)
      The e-mail password serves as a sort of "master password" nowadays --- once it gets public, all your other passwords can be compromised.

      • Banks and othe high risk sites have two factor. You have to call or have a txt sent with one time pass code to your phone. Can't change the phone number without logging in.

    • by Tom (822)

      What world do you live in? 1975?

      The average computer user these days has how many different logins to how many different services, websites, etc. etc.? I'd guess that 20 is on the low end, and 100 not entirely uncommon.

      So, Einstein, pick one: Re-using passwords or writing them down somewhere (or storing them somewhere, like a password manager). It's one or the other, because you can not seriously expect people to remember several dozen different passwords. All of which, of course, are not meaningful words b

    • Yahoo is an OpenID provider.
  • Liability (Score:2, Insightful)

    by Malf.me (2697131)
    Regrettably a liability lawsuit like this seems to be one of the only tools available to encourage large organizations to take computer security seriously.
  • by Anonymous Coward

    I'd LOVE to see companies start getting sued for this kind of stuff. It's really getting out of hand with how negligent companies are. If the government isn't going to do the job I say we can do the job ourselves via lawsuits. They start losing enough money they'll start thinking about not screwing up like this.

    Granted, the logic of them being sued is kind of BS. Everyone knows better than to use the same password at multiple locations because of the possibility of this exact outcome, but I still hope Y

    • by Khyber (864651)

      "If the government isn't going to do the job I say we can do the job ourselves via lawsuits."

      The irony of this statement......

      Guess who handles the lawsuits?

      Yup, the government.

  • How is this done with better pw's and well thought out networks?
    Weeks with 10 top brand gpus ie small system?
    Weeks with many many networked "10 top gpus" systems?
    Or the classic inside out decryption ie one person with a laptop and hacking skills?
  • Image of Trust (Score:5, Insightful)

    by Penurious Penguin (2687307) on Friday August 03, 2012 @01:10AM (#40864815) Homepage Journal
    Because Yahoo and other similar services pimp the image of being both sophisticated and virtually omnipotent, while offering to manage your affairs, organize your life, provide targeted news headlines and personal suggestions regarding your personal life, and then covertly subpimp your personal data while indifferently and deeply mining your grazing habits -- I think this lawsuit is, compared to others, reasonable, if a lawsuit without grievous injuries or loss can even be so.

    Not everyone has a degree in IT. Perhaps instead of guerrilla advertisement, Yahoo (and other similar services) could cough up at least a token effort for their cattle, I mean customers. Maybe they could reserve some extra ad-space to discourage unknowing subjects from having shared passwords. Maybe they could do a lot more in general, and a lot less too, in a good way.

    I sympathize with neither side in this case, but can empathize with only one. Altruism, despite modern Goliaths, doesn't always need an ulterior motive. Yahoo preys on the sea of humanity, and a few minnows nip back. Pardon me whilst I desiccate myself with tears.
  • I'm sure there will be many valid points made about how utterly irresponsible it is to use the same username and password on both your email account and "financial" sites, and also about how terrible Yahoo! is for making very little effort to make amends to their customers whose privacy they clearly don't value... And sure, this lawsuit will likely tie up the court system and waste thousands, possibly millions of taxpayer dollars... And maybe Yahoo! will ultimately be required to send each of those 450,00
    • Agree with the above - Let's have a little disclosure here - more than likely, the attorneys representing the plaintiff are schooling in fashioning class action lawsuits. This "plaintiff" is likely a stand-in until the attorneys move to certify the class. If allowed by the court, the case will settle for $X millions, with the attorneys taking their 1/3 contingency. If the class is not certified, the case will go away. In the end, I suspect the attorneys here are little different than your common patent
  • Using a lame password was also the problem. I am not sure if it was on /. too, but I saw it on another news site where they showed the passwords. I think it was more than 80% of the passwords used were dictionary words and weren't even m0dif1ed.

    https://xkcd.com/936/ [xkcd.com] ...yeah :/
  • Yeah yeah yeah, you can all say the user is stupid for using the same password on multiple sites. /careface

    Yahoo still lost 400000 passwords and coming from a corp that not on. End of storey. The way many big companies handle user data is complete bs and there's no arguing that.

  • If someone wants to use the same password for every website, he / she should be able to without fear of having their information stolen. If some organization or company decides to make your personal information accessible through the internet, who are you (or anyone else for that matter) to tell any other person what password to use to access this information? If someone can't use the same password for multiple websites / applications / whatever, then it's clear to me that passwords are antiquated. What's
  • If a company built a bridge and it collapsed, that company would be likely to face lawsuit and fine. Engineers take safety and security seriously, so should software engineer.

  • Using the same password for multiple accounts is a negligent user behavior, though I'd say that storing hundreds of thousands of passwords in clear text wins as being vastly more irresponsible.

  • But he'd only win for damaged caused by misuse of HIS YAHOO account and of accounts access through HIS YAHOO login, such as newspaper-comment accounts that allow Yahoo-account-based logins.

    But as for his eBay account, sorry, unless the bad guys used his Yahoo account to do a password-reset or password-retreival of his eBay account, that's on him.

  • ...after his eBay account, which used the same password as his Voices account, was compromised.

    Analogy: Jeff Alan from New Hampshire decides to use the same numerical combination on both his briefcase and his bike lock. A thief watches Jeff pedal up to a cafe, lock his bike, and grab a table. The thief easily shoulder surfs the briefcase lock combination. On a hunch, the thief walks outside and tries the same combination on the Jeff's bike lock. It works, and the thief makes off with Jeff's bike. Jeff Alan from New Hampshire then sues the briefcase company for negligence, and demands that they repla

  • The cost of this is broader than the affected users. Almost every person that the affected people had ever emailed got sent a bad email with a link to an exploit kit.

    We all need to do better with passwords from storing them to using them more than once. I'd like a SSO-like two factor authentication where each person can pick both parties. That would get more players out of the password storing game, but we would be centralizing our risk. And not everyone can afford a randomized idea like SecurID on on

Never appeal to a man's "better nature." He may not have one. Invoking his self-interest gives you more leverage. -- Lazarus Long

Working...